On Wed 16-01-19 12:03:27, Dmitry Vyukov wrote: > On Wed, Jan 16, 2019 at 11:43 AM Jan Kara <jack@xxxxxxx> wrote: > > > > On Wed 16-01-19 10:47:56, Dmitry Vyukov wrote: > > > On Fri, Jan 11, 2019 at 1:46 PM Tetsuo Handa > > > <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > On 2019/01/11 19:48, Dmitry Vyukov wrote: > > > > >> How did you arrive to the conclusion that it is harmless? > > > > >> There is only one relevant standard covering this, which is the C > > > > >> language standard, and it is very clear on this -- this has Undefined > > > > >> Behavior, that is the same as, for example, reading/writing random > > > > >> pointers. > > > > >> > > > > >> Check out this on how any race that you might think is benign can be > > > > >> badly miscompiled and lead to arbitrary program behavior: > > > > >> https://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong > > > > > > > > > > Also there is no other practical definition of data race for automatic > > > > > data race detectors than: two conflicting non-atomic concurrent > > > > > accesses. Which this code is. Which means that if we continue writing > > > > > such code we are not getting data race detection and don't detect > > > > > thousands of races in kernel code that one may consider more harmful > > > > > than this one the easy way. And instead will spent large amounts of > > > > > time to fix some of then the hard way, and leave the rest as just too > > > > > hard to debug so let the kernel continue crashing from time to time (I > > > > > believe a portion of currently open syzbot bugs that developers just > > > > > left as "I don't see how this can happen" are due to such races). > > > > > > > > > > > > > I still cannot catch. Read/write of sizeof(long) bytes at naturally > > > > aligned address is atomic, isn't it? > > > > > > Nobody guarantees this. According to C non-atomic conflicting > > > reads/writes of sizeof(long) cause undefined behavior of the whole > > > program. > > > > Yes, but to be fair the kernel has always relied on long accesses to be > > atomic pretty heavily so that it is now de-facto standard for the kernel > > AFAICT. I understand this makes life for static checkers hard but such is > > reality. > > Yes, but nobody never defined what "a long access" means. And if you > see a function that accepts a long argument and stores it into a long > field, no, it does not qualify. I bet this will come at surprise to > lots of developers. Yes, inlining and other optimizations can screw you. > Check out this fix and try to extrapolate how this "function stores > long into a long leads to a serious security bug" can actually be > applied to whole lot of places after inlining (or when somebody just > slightly shuffles code in a way that looks totally safe) that also > kinda look safe and atomic: > https://lore.kernel.org/patchwork/patch/599779/ > So where is the boundary between "a long access" that is atomic and > the one that is not necessary atomic? So I tend to rely on "long access being atomic" for opaque values (no flags, no counters, ...). Just value that gets fetched from some global variable / other data structure, stored, read, and possibly compared for equality. I agree the compiler could still screw you if it could infer how that value got initially created and try to be clever about it... Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
